brcmfmac: add length checks in scheduled scan result handler
authorArend Van Spriel <arend.vanspriel@broadcom.com>
Thu, 6 Apr 2017 12:14:40 +0000 (13:14 +0100)
committerKalle Valo <kvalo@codeaurora.org>
Thu, 13 Apr 2017 14:07:22 +0000 (17:07 +0300)
Assure the event data buffer is long enough to hold the array
of netinfo items and that SSID length does not exceed the maximum
of 32 characters as per 802.11 spec.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

index 89ac12437c928e4e9b9a36e2d86f04a7f759fa8c..760781f4abd24ebc03981cff89df25c9fcbe4df4 100644 (file)
@@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
        struct brcmf_pno_scanresults_le *pfn_result;
        u32 result_count;
        u32 status;
+       u32 datalen;
 
        brcmf_dbg(SCAN, "Enter\n");
 
@@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
                brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
                goto out_err;
        }
+
+       netinfo_start = brcmf_get_netinfo_array(pfn_result);
+       datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
+       if (datalen < result_count * sizeof(*netinfo)) {
+               brcmf_err("insufficient event data\n");
+               goto out_err;
+       }
+
        request = brcmf_alloc_internal_escan_request(wiphy,
                                                     result_count);
        if (!request) {
@@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
                goto out_err;
        }
 
-       netinfo_start = brcmf_get_netinfo_array(pfn_result);
-
        for (i = 0; i < result_count; i++) {
                netinfo = &netinfo_start[i];
                if (!netinfo) {
@@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
                        goto out_err;
                }
 
+               if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+                       netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
                brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
                          netinfo->SSID, netinfo->channel);
                err = brcmf_internal_escan_add_info(request,